changeset 1559:92c93b4a3646 fuzz

Fix to be able to compile normal(ish) binaries with --enable-fuzz
author Matt Johnston <matt@ucc.asn.au>
date Wed, 28 Feb 2018 22:02:12 +0800
parents 2f64cb3d3007
children 02b226c2675e
files Makefile.in configure.ac dbutil.c fuzz-common.c fuzz-harness.c fuzz-wrapfd.c fuzz.h fuzzer-pubkey.c fuzzer-verify.c packet.c svr-session.c
diffstat 11 files changed, 49 insertions(+), 38 deletions(-) [+]
line wrap: on
line diff
--- a/Makefile.in	Wed Feb 28 21:40:08 2018 +0800
+++ b/Makefile.in	Wed Feb 28 22:02:12 2018 +0800
@@ -61,14 +61,22 @@
 SCPOBJS=scp.o progressmeter.o atomicio.o scpmisc.o compat.o
 
 ifeq (@DROPBEAR_FUZZ@, 1)
-	COMMONOBJS += fuzz-common.o  fuzz-wrapfd.o
-endif
+	allobjs = $(COMMONOBJS) fuzz-common.o  fuzz-wrapfd.o $(CLISVROBJS) $(CLIOBJS) $(SVROBJS)
+	allobjs:=$(subst svr-main.o, ,$(allobjs))
+	allobjs:=$(subst cli-main.o, ,$(allobjs))
+	allobjs:=$(sort $(allobjs))
 
-dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS)
-dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS)
-dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS)
-dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS)
-scpobjs=$(SCPOBJS)
+	dropbearobjs=$(allobjs) svr-main.o
+	dbclientobjs=$(allobjs) cli-main.o
+	dropbearkeyobjs=$(allobjs) $(KEYOBJS)
+	dropbearconvertobjs=$(allobjs) $(CONVERTOBJS)
+else
+	dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS)
+	dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS)
+	dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS)
+	dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS)
+	scpobjs=$(SCPOBJS)
+endif
 
 VPATH=@srcdir@
 srcdir=@srcdir@
@@ -185,7 +193,7 @@
 	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
 
 dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile
-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS)
+	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
 
 # scp doesn't use the libs so is special.
 scp: $(SCPOBJS)  $(HEADERS) Makefile
@@ -260,7 +268,7 @@
 svrfuzzobjs=$(subst svr-main.o, ,$(dropbearobjs))
 
 # build all the fuzzers. This will require fail to link unless built with
-# make fuzzers LIBS=-lFuzzer.a 
+# make fuzz-targetsk FUZZLIB=-lFuzzer.a 
 # or similar - the library provides main().
 fuzz-targets: $(FUZZ_TARGETS) $(FUZZER_OPTIONS)
 
--- a/configure.ac	Wed Feb 28 21:40:08 2018 +0800
+++ b/configure.ac	Wed Feb 28 22:02:12 2018 +0800
@@ -323,7 +323,7 @@
 )
 
 AC_ARG_ENABLE(fuzz,
-	[  --enable-fuzz           Build fuzzing],
+	[  --enable-fuzz           Build fuzzing. Not recommended for deployment.],
 	[
 		AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing)
 		AC_MSG_NOTICE(Enabling fuzzing)
--- a/dbutil.c	Wed Feb 28 21:40:08 2018 +0800
+++ b/dbutil.c	Wed Feb 28 22:02:12 2018 +0800
@@ -121,7 +121,7 @@
 	_dropbear_log(LOG_INFO, fmtbuf, param);
 
 #if DROPBEAR_FUZZ
-	// longjmp before cleaning up svr_opts
+	/* longjmp before cleaning up svr_opts */
     if (fuzz.do_jmp) {
         longjmp(fuzz.jmp, 1);
     }
--- a/fuzz-common.c	Wed Feb 28 21:40:08 2018 +0800
+++ b/fuzz-common.c	Wed Feb 28 22:02:12 2018 +0800
@@ -154,13 +154,15 @@
         return 0;
     }
 
-    // get prefix. input format is
-    // string prefix
-    //     uint32 wrapfd seed
-    //     ... to be extended later
-    // [bytes] ssh input stream
+    /*
+      get prefix. input format is
+      string prefix
+          uint32 wrapfd seed
+          ... to be extended later
+      [bytes] ssh input stream
+    */
 
-    // be careful to avoid triggering buffer.c assertions
+    /* be careful to avoid triggering buffer.c assertions */
     if (fuzz.input->len < 8) {
         return 0;
     }
@@ -181,7 +183,7 @@
     } else {
         m_malloc_free_epoch(1, 1);
         TRACE(("dropbear_exit longjmped"))
-        // dropbear_exit jumped here
+        /* dropbear_exit jumped here */
     }
 
     return 0;
--- a/fuzz-harness.c	Wed Feb 28 21:40:08 2018 +0800
+++ b/fuzz-harness.c	Wed Feb 28 22:02:12 2018 +0800
@@ -19,7 +19,7 @@
 
     for (i = 1; i < argc; i++) {
         if (argv[i][0] == '-') {
-            // ignore arguments
+            /* ignore arguments */
             continue;
         }
 
--- a/fuzz-wrapfd.c	Wed Feb 28 21:40:08 2018 +0800
+++ b/fuzz-wrapfd.c	Wed Feb 28 22:02:12 2018 +0800
@@ -21,7 +21,7 @@
 };
 
 static struct fdwrap wrap_fds[IOWRAP_MAXFD+1];
-// for quick selection of in-use descriptors
+/* for quick selection of in-use descriptors */
 static int wrap_used[IOWRAP_MAXFD+1];
 static unsigned int nused;
 static unsigned short rand_state[3];
@@ -66,7 +66,7 @@
 	wrap_fds[fd].mode = UNUSED;
 
 
-	// remove from used list
+	/* remove from used list */
 	for (i = 0, j = 0; i < nused; i++) {
 		if (wrap_used[i] != fd) {
 			wrap_used[j] = wrap_used[i];
@@ -94,7 +94,7 @@
 	}
 
 	if (fd < 0 || fd > IOWRAP_MAXFD || wrap_fds[fd].mode == UNUSED) {
-		// XXX - assertion failure?
+		/* XXX - assertion failure? */
 		TRACE(("Bad read descriptor %d\n", fd))
 		errno = EBADF;
 		return -1;
@@ -116,7 +116,7 @@
 	buf = wrap_fds[fd].buf;
 	if (buf) {
 		maxread = MIN(buf->len - buf->pos, count);
-		// returns 0 if buf is EOF, as intended
+		/* returns 0 if buf is EOF, as intended */
 		if (maxread > 0) {
 			maxread = nrand48(rand_state) % maxread + 1;
 		}
@@ -140,7 +140,7 @@
 	}
 
 	if (fd < 0 || fd > IOWRAP_MAXFD || wrap_fds[fd].mode == UNUSED) {
-		// XXX - assertion failure?
+		/* XXX - assertion failure? */
 		TRACE(("Bad read descriptor %d\n", fd))
 		errno = EBADF;
 		return -1;
@@ -148,7 +148,7 @@
 
 	assert(count != 0);
 
-	// force read to exercise sanitisers
+	/* force read to exercise sanitisers */
 	for (i = 0; i < count; i++) {
 		(void)volin[i];
 	}
@@ -186,7 +186,7 @@
 		return -1;
 	}
 
-	// read
+	/* read */
 	if (readfds != NULL && erand48(rand_state) < CHANCE_READ1) {
 		for (i = 0, nset = 0; i < nfds; i++) {
 			if (FD_ISSET(i, readfds)) {
@@ -198,7 +198,7 @@
 		FD_ZERO(readfds);
 
 		if (nset > 0) {
-			// set one
+			/* set one */
 			sel = fdlist[nrand48(rand_state) % nset];
 			FD_SET(sel, readfds);
 			ret++;
@@ -213,7 +213,7 @@
 		}
 	}
 
-	// write
+	/* write */
 	if (writefds != NULL && erand48(rand_state) < CHANCE_WRITE1) {
 		for (i = 0, nset = 0; i < nfds; i++) {
 			if (FD_ISSET(i, writefds)) {
@@ -224,7 +224,7 @@
 		}
 		FD_ZERO(writefds);
 
-		// set one
+		/* set one */
 		if (nset > 0) {
 			sel = fdlist[nrand48(rand_state) % nset];
 			FD_SET(sel, writefds);
--- a/fuzz.h	Wed Feb 28 21:40:08 2018 +0800
+++ b/fuzz.h	Wed Feb 28 22:02:12 2018 +0800
@@ -2,6 +2,7 @@
 #define DROPBEAR_FUZZ_H
 
 #include "config.h"
+
 #if DROPBEAR_FUZZ
 
 #include "includes.h"
--- a/fuzzer-pubkey.c	Wed Feb 28 21:40:08 2018 +0800
+++ b/fuzzer-pubkey.c	Wed Feb 28 22:02:12 2018 +0800
@@ -20,14 +20,14 @@
 
 	m_malloc_set_epoch(1);
 
-	// choose a keytype based on input
+	/* choose a keytype based on input */
 	uint8_t b = 0;
 	size_t i;
 	for (i = 0; i < Size; i++) {
 		b ^= Data[i];
 	}
 	const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED];
-	const char* keyblob = "blob"; // keep short
+	const char* keyblob = "blob"; /* keep short */
 
 	if (setjmp(fuzz.jmp) == 0) {
 		fuzz_checkpubkey_line(fuzz.input, 5, "/home/me/authorized_keys", 
@@ -37,7 +37,7 @@
 	} else {
 		m_malloc_free_epoch(1, 1);
 		TRACE(("dropbear_exit longjmped"))
-		// dropbear_exit jumped here
+		/* dropbear_exit jumped here */
 	}
 
 	return 0;
--- a/fuzzer-verify.c	Wed Feb 28 21:40:08 2018 +0800
+++ b/fuzzer-verify.c	Wed Feb 28 22:02:12 2018 +0800
@@ -57,7 +57,7 @@
 	} else {
 		m_malloc_free_epoch(1, 1);
 		TRACE(("dropbear_exit longjmped"))
-		// dropbear_exit jumped here
+		/* dropbear_exit jumped here */
 	}
 
 	return 0;
--- a/packet.c	Wed Feb 28 21:40:08 2018 +0800
+++ b/packet.c	Wed Feb 28 22:02:12 2018 +0800
@@ -79,8 +79,8 @@
 	it's likely to be necessary */
 #if DROPBEAR_FUZZ
 	if (fuzz.fuzzing) {
-		// pretend to write one packet at a time
-		// TODO(fuzz): randomise amount written based on the fuzz input
+		/* pretend to write one packet at a time */
+		/* TODO(fuzz): randomise amount written based on the fuzz input */
 		written = iov[0].iov_len;
 	}
 	else
@@ -368,8 +368,8 @@
 
 #if DROPBEAR_FUZZ
 	if (fuzz.fuzzing) {
-		// fail 1 in 2000 times to test error path.
-		// note that mac_bytes is all zero prior to kex, so don't test ==0 !
+		/* fail 1 in 2000 times to test error path.
+		   note that mac_bytes is all zero prior to kex, so don't test ==0 ! */
 		unsigned int value = *((unsigned int*)&mac_bytes);
 		if (value % 2000 == 99) {
 			return DROPBEAR_FAILURE;
--- a/svr-session.c	Wed Feb 28 21:40:08 2018 +0800
+++ b/svr-session.c	Wed Feb 28 22:02:12 2018 +0800
@@ -186,7 +186,7 @@
 	}
 
 #if DROPBEAR_FUZZ
-	// longjmp before cleaning up svr_opts
+	/* longjmp before cleaning up svr_opts */
     if (fuzz.do_jmp) {
         longjmp(fuzz.jmp, 1);
     }